[docs] docs: document Azure OpenAI OIDC (Entra-only) authentication

[github-actions]

Documentation Sync - May 2026

This PR synchronizes documentation with code changes from the past 7 days.

Changes Made

• Updated docs/api-proxy-sidecar.md: Replaced the outdated limitation "No support for Azure OpenAI endpoints" with a new Azure OpenAI (Entra-only / OIDC authentication) section.

What was added

The new section documents:

• How the GitHub Actions OIDC → Azure AD workload identity federation token flow works
• Required environment variables (AWF_AUTH_TYPE=github-oidc, AWF_AUTH_AZURE_TENANT_ID, AWF_AUTH_AZURE_CLIENT_ID)
• Optional environment variables (AWF_AUTH_OIDC_AUDIENCE, AWF_AUTH_AZURE_SCOPE, AWF_AUTH_AZURE_CLOUD)
• A complete GitHub Actions workflow example with correct permissions: id-token: write and sudo --preserve-env usage

Code Changes Referenced

• Commit e26e9de: feat(api-proxy): OIDC authentication for Azure OpenAI (Entra-only) (#2599) — added oidc-token-provider.js, OIDC support in the OpenAI adapter, and forwarding of AWF_AUTH_* env vars from api-proxy-service.ts to the sidecar container.

Verification

• Code examples verified against src/services/api-proxy-service.ts and containers/api-proxy/oidc-token-provider.js
• Environment variable names match the implementation exactly
• Consistent with existing documentation style
• Removed the now-incorrect limitation bullet about Azure OpenAI being unsupported

Generated by Documentation Maintainer · ● 1.1M · ◷

[github-actions]

Documentation Preview

Documentation build failed for this PR. View logs.

Built from commit fb79528

[github-actions]

✅ Smoke Test PASS

• ✅ GitHub MCP: Listed last 2 merged PRs (feat(api-proxy): OIDC authentication for Azure OpenAI (Entra-only) #2599, Enable Copilot BYOK provider-env fallback, base-path routing, and hardened token isolation #2598)
• ✅ Playwright: GitHub page title verified
• ✅ File Write: Test file created successfully
• ✅ Bash: File verified

All tests passed for Claude engine validation.

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

🔥 Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
1. GitHub MCP (list PRs)	✅ PR #2599 returned
2. GitHub.com HTTP	⚠️ Pre-step vars unexpanded (${{ steps.smoke-data.outputs.SMOKE_HTTP_CODE }})
3. File write/read	⚠️ Pre-step vars unexpanded (${{ steps.smoke-data.outputs.SMOKE_FILE_PATH }})
4. BYOK inference (agent → api-proxy → api.githubcopilot.com)	✅

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com

Overall: PARTIAL — Tests 2 & 3 could not be verified (workflow template variables not expanded). Tests 1 & 4 passed.

PR author: @github-actions[bot] · Reviewer: @Mossaka

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

🔥 Smoke Test Results

Test	Result
GitHub MCP (list PRs)	✅
GitHub.com connectivity (HTTP 200)	✅
File write/read	✅

Overall: PASS

PR: [docs] docs: document Azure OpenAI OIDC (Entra-only) authentication — author @github-actions[bot], reviewer @Mossaka

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	passed	✅ PASS
Node.js	execa	✅	passed	✅ PASS
Node.js	p-limit	✅	passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #2612 · ● 692.6K · ◷

[github-actions]

Codex smoke: FAIL
Merged PRs:

• feat(api-proxy): OIDC authentication for Azure OpenAI (Entra-only)
• Enable Copilot BYOK provider-env fallback, base-path routing, and hardened token isolation
  ✅ GitHub PR review, Playwright, File/Bash, Discussion, Build
  ❌ safeinputs-gh, Tavily search
  Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Smoke Test Results — Services Connectivity

Check	Result
Redis PING	❌ Timeout/no response
PostgreSQL pg_isready	❌ No response
PostgreSQL SELECT 1	❌ Timeout/no response

Overall: FAIL — host.docker.internal is not reachable from this runner environment. Service containers are not accessible.

🔌 Service connectivity validated by Smoke Services